Hospital says spreadsheets with information on more than 20k patients sent to job applicants

Rady Children's Hospital is notifying the parents of more than 20,000 patients that on two occasions, its employees mistakenly forwarded some of their private health information to a handful of job applicants.

On June 6, a Rady employee emailed a spreadsheet that contained protected information about 14,121 patients to four applicants for data management jobs who subsequently forwarded the document on to two other people, according to a statement released after business hours Tuesday.

The spreadsheet contained the names, dates of birth, primary diagnoses, admittance and discharge dates, medical record numbers and other information like insurance claim information. It did not include Social Security, insurance or credit card numbers; street addresses; or information on the young patients' parents or guardians.

Rady officials said they contacted all six recipients and confirmed, with an independent information technology security firm, that the errant spreadsheet was deleted. Two of the recipients had been unable to open the file, the hospital said.

In investigating the first breach, a second was uncovered.

According to Rady's statement, a different employee emailed a training exercise to three job candidates. Six more viewed the private patient data when they came to the hospital's campus to take a test on company computers.

The second file contained information on 6,307 patients who were registered for inpatient or outpatient treatment between June 30, 2009 and June 30, 2010. The information included patients' names, discharge dates, the locations where they were treated and account information such as insurance companies' names and the outstanding balance.

The hospital said it set up a phone bank staffed by more than 150 employees to contact families for the 2014 breach and mailed notices to each family on Monday. Plans are underway to send similar notification letters "as soon as possible" to families caught up in the 2012 release.

Ben Metcalf, a spokesman for Rady, said Tuesday night that in the 2014 case, the employee mistakenly attached the wrong file to the email while the employee in the 2012 incident "did not realize that the information constituted protected health information."

In both cases, he said, the employment files were intended to gauge applicants' aptitude as part of the hiring process. The hospital is taking steps to use only "validated testing programs" to evaluate future candidates. Rady officials said they also will hold additional training to help employees prevent future breaches.